Browser Hardening, Privacy, Anti-Fingerprint and Anti-Telemetry Guide

Still in very early development so don’t try to daily drive it or anything.

You can install Fennec from F-droid. With a little hardening it can be just as good. I personally just installed ublock origin, set the security settings to strict and enabled resist fingerprinting. I then tested it against the EFF fingerprinting test and it scored decent.

I agree that using something like LibreWolf is a much simpler solution than manually tweaking.

But users have different requirements and needs.

For some users even toggling resist fingerprinting is too much work. The user would have know that that is the cause of the breakage vs if its coming from an extension or some obscure about:config setting. I might not recommend LibreWolf to people who want the browser to “just work” and don’t know or care about what a canvas is. :cookie: “What’s a cookie, can I eat it?” :cookie:

Some users may not trust 3rd party forks and want only official chrome or official firefox from google and mozilla respectively. In this wacky world of supply chain attacks, this is also understandable. eg: Who is evaluating LibreWolf’s source?

This thread is more for documentation and discussion, and comparison of browsers and the overall landscape as the web evolves. (and maybe a little bit of ranting too :slight_smile: )

Hopefully this thread provides a useful high level starting point for understanding some of the flags and mechanisms for those interested in digging into their own browser, and to provide some resources and tools for testing and evaluating these settings and extensions and browsers on your own.

1 Like

Librewolf is woefully behind updates.

This is good. But I havent really tried it when Mullvad Browser solves it for me with no prior fiddling. Tor Browser if you can get away with it with the sites that you visit.

I don’t fully agree. Now, if you are talking about staying anonymous and avoiding fingerprinting then being as average and getting lost in the crowd makes sense but as soon as you login to any service you kind of loose that anonymity.

So, there are different use cases. For full anonymity, I would use tor-browser but it’s slow. I also have Mullvad browser that I use without any changes keeping it as fingerprinting proof as possible.

Now, Librewolf I use to login to services, although I still use it with VPN. This browser I have customized to my liking but this makes it more fingerprintable.

I don’t think that Librewolfs hardening is perfect and I don’t mind pushing things to the point where some sites broke down. So, there are settings that you can still set. First Party Isolation (FPI) for example, which is enabled with Pyllyukko’s user.js. At least I don’t think it was enabled by default.
fpi

I’m pretty new with Librewolf but I thought that it should only lag some days behind the stable branch.

Firefox 133.0 was released 2024-11-26
Librewolf 133.0.3-1 was released december 6

There are newer Firefox versions available for download though.

From normal persons perspective, which is admittedly ignorant, it’s crazy to break site functionality because they don’t have anything to hide and tradeoffs are not worth it. These people, so majority, would probably think I’m a tinfoil hat level nut and overreacting. If I would let any normie use my browser they would definitely have comments on that.

I read little bit more about it and it seems that you are correct. This very thing was actually mentioned in their FAQ-page and it seems that you definitely should not set FPI because it interferes their newer and better dFPI solution.

So, you convinced me. Using Pyllyukko’s user.js is a mistake and I should rather stick with the standard Librewolf as you said.

In LibreWolf we decided to enable Enhanced Tracking Protection, as it plays nicely with uBO and it can block some extra scripts. Additionally, when set to strict it includes dFPI, SmartBlock, enhanced cookie cleaning, stricter referrer policies and URL query stripping. For this reason, we always suggest the default strict mode, and when using it please do not enable FPI, as it interferes with the more recent dFPI.
Frequently Asked Questions – LibreWolf

Edit:
Tor-browser and Mullvad browser seems to have privacy.firstparty.isolate = true which made me think that it might be a good idea but I guess they might do something differently. Firefox, Arkenfox and Librewolf have it as false by default.

I used LibreWolf until recently but found over time I was having issues after a windows 11 update (Version 24H2) and often while using Linux Mint 22 so have now switched to Brave and after three weeks or so it seems better and certainly dosn’t bog down when you have a lot of tabs open.

So, going through that user.js, this is what I was left with.

  • Disable Service Workers
    ServiceWorker is dangerous
  • Disable “beacon” asynchronous HTTP transfers (used for analytics)
  • Disable clipboard event detection (onCut/onCopy/onPaste) via Javascript
  • Disable “copy to clipboard” functionality via Javascript
  • Do not automatically send selection to clipboard on some Linux platforms
  • Do not submit invalid URIs entered in the address bar to the default search - engine
  • Don’t send referer headers when following links across different domains
  • Trim HTTP referer headers to only send the scheme, host, and port
  • Disable Caching of SSL Pages

librewolf.overrides.cfg.txt (2.8 KB)

Edit: That cache disabling probably doesn’t make sense if librewolf clears cache when closing browser, so that’s too much.

1 Like

This is new to me. Thanks!

// PREF: Disable Service Workers
// Worker - Web APIs | MDN
// Service Worker API - Web APIs | MDN
// Firefox/Push Notifications - MozillaWiki
// NOTICE: Disabling ServiceWorkers breaks functionality on some sites (Google Street View…)
// NOTICE: Disabling ServiceWorkers breaks Firefox Sync
// Unknown security implications
// CVE-2016-5259, CVE-2016-2812, CVE-2016-1949, CVE-2016-5287 (fixed)

dom.serviceWorkers.enabled = false

I’ll be curious to see what that breaks.

So far only Discrod’s webapp, which I don’t like anyway. Breaking things is how you learn things. Worst case, I learn the hard way why they are important. :slight_smile:

ServiceWorkers just seem like a bad idea to me. These are from 2020 and 2021 so things might have progressed from this but I just don’t understand how using ServiceWorkers could not lead to problems but maybe I’m just an idiot.

Initially, we demonstrated two variants of history sniffing attacks that bypass current site isolation strategies and allow an attacker to infer the presence of third-party SWs through cross-origin requests hidden in iframes. We then presented a more in-depth assessment of the implications of our techniques, through a series of use cases that showcase the feasibility of more privacy-invasive attacks, such as inferring members of a user’s social circle or the existence of an account in a “sensitive” web service, or obtaining clues about the users’ sexual preferences through cached application-level information.
https://www.ndss-symposium.org/wp-content/uploads/ndss2021_1C-2_23104_paper.pdf

In this work, we found a growing problematic practice in SW-enabled websites. These websites use URL search parameters during their service worker’s installation and blindly trust those parameters. This allows attackers to feed a malicious parameter into a benign service worker to compromise it. We termed this attack as SW-XSS. We developed a tool called SW-Scanner to evaluate the impact of SW-XSS in real-world websites. Our findings showed 40 websites to be vulnerable, wherein more than a hundred million users could potentially be affected per month.
Security Study of Service Worker Cross-Site Scripting.

2 Likes

I have been testing my browsers with different settings on:
https://www.thumbmarkjs.com/

Turned out that Mullvad doesn’t have that good protection against fingerprinting that I first thought. That site can reliably identify my browser even after restarting the browser and removing all site data.

What turned out to work better was JShelter extension on strict-mode. With recommended settings I still get reliably identified with the site but with strict-mode I get random fingerprint-hash on every page load which is exactly what we want.

All idea behind Mullvad browser is to run it with default settings so that everyone would look more or less the same and identifying would be difficult but this only seems to fool naive implementations of fingerprinting. I think that randomizing is the way to go since it also allows modifying the browser more to your liking.

JShelter in strict-mode does break some sites and in many places I have to turn it off when I login to services but since the whole point of the login is to identify yourself you probably wont need this kind of protection then anyway.

Even Brave browser, which is supposed to have randomized fingerprint when tested with Cover Your Tracks naive implementation, doesn’t work agaist the test above and gives same hash on every reload. Restarting the browser seemed to cause hash to change which is good but removing all data and renavigating to the page didn’t and site was able to reliably identify Brave browser in same session.

E: Here’s another fingerprinting that you can test against. This does save cookies and sessionStorage/localStorage data to track you so this is more close to real world service. Removing cookies and site data with JShelter strict works against this and I get first visit on every page load.

E: Found out an error in my testing method. Brave and JShelter recommended mode works better cross-site while giving same value when retested on a same site. This just means that they work better than I first thought and both should give good protection against fingerprinting.

Farbling uses generated session and eTLD+1 keys to deterministically change outputs of certain APIs commonly used for browser fingerprinting.

1 Like